OpenID stuff

RobbieThe1st · October 20, 2008, 01:00:28 AM

I need some help testing my OpenID login script.
http://robbiethe1st.afraid.org/pf/openid.php
Try to login with it, and tell me what happens.
Note that if you have a Yahoo account or Gmail account or an account at one of many other sites, you have an OpenID - You just need to find the OpenID ID. Googling for it helps.
Yahoo members click Here
Gmail members click Here
MyOpenId (openID provider)
OpenID.org (openID provider)

For developers:
This page is an awesome tutorial on how to use OpenID, and how to simply implement it with no special libraries.

Old, obsolete post:

QuoteOk, so I have some webpages that need authentication(admin pages and such). I decided, instead of what I used to do, which was basically have a text-database with usernames & password-hashes, I would try to use OpenID to do the same thing. I start reading up on it... and I can't make heads or tails out of it.

What I want to do is have a login page with OpenID and Password boxes. You click submit, and it checks the openID against a local list of known/registered OpenIDs. Then, if the OpenID is a valid one, it contacts the OpenID server(Yes, I know that the information is part of the OpenID) with the password, and, I am hoping, gets a response if that OpenID/password is a valid combination - I.E. the password entered is correct.

I can do the first bit, but have no clue about how to contact the OpenID server chosen with the password and get a response, or even if what I want to do is possible.

The list of authenticated users I plan on updating manually.

Anyone know where I should start, or even know what I am talking about?

Thanks,

-RobbieThe1st

RobbieThe1st · October 24, 2008, 12:04:50 AM

Please delete this post

-RobbieThe1st

llearch n'n'daCorna · October 24, 2008, 05:32:47 AM

Quote from: RobbieThe1st on October 24, 2008, 12:04:50 AM
Please delete this post

Must we?

Gabi · October 29, 2008, 08:48:49 AM

A login script? It sounds like it could very easily be used for stealing people's passwords. What's its purpose?

superluser · October 29, 2008, 06:15:10 PM

Quote from: Gabi on October 29, 2008, 08:48:49 AMA login script? It sounds like it could very easily be used for stealing people's passwords. What's its purpose?

http://en.wikipedia.org/wiki/Openid

I haven't read it yet, but I'm sure it explains what it's for.

llearch n'n'daCorna · October 29, 2008, 06:34:50 PM

I believe, superluser, that Gabi was querying what Robbie's script was for... not what OpenID is for... ;-]

RobbieThe1st · October 30, 2008, 11:04:14 PM

The whole idea behing OpenID is that a third party site, like mine, would *not* ever have access to your password. Your password and authentication is all done by your OpenID Provider.

This is just a script I am working on that I can attach to anything needing security - I simply provide it with a list of approved OpenIDs, and it takes care of the login process.

-RobbieThe1st

superluser · October 31, 2008, 01:24:14 AM

Quote from: RobbieThe1st on October 30, 2008, 11:04:14 PM
The whole idea behing OpenID is that a third party site, like mine, would *not* ever have access to your password. Your password and authentication is all done by your OpenID Provider.

Does that mean I'm not crazy, then? Because, based on the name, I was pretty sure that that's what this was, and that knowing what OpenID was would answer Gabi's question.

Gabi · October 31, 2008, 11:45:16 AM

Well, I've had an OpenID from myopenid.com for well over a year (before I got a new one by getting a LiveJournal account, and now that Yahoo and Gmail are using them too I have 4), so I did know about it. I was, indeed, asking what Robbie's script was for. And I asked the question before I saw the form.

Yes, superluser, you can phish and use OpenID at the same time, it all depends on how you build the form.

QuoteYour login completed successfully.
OpenID: gabi.myopenid.com
Nickname: